Sony Breach Ignites Phishing Fears

Are consumers getting apathetic about data breaches - and are the fraudsters taking advantage?

Sony Corp.'s announcement that hackers may have accessed personal information it stores on 77 million users of its PlayStation Network and Qriocity online service follows a long line of recent breach announcements. And Neal O'Farrell of the Identity Theft Council says that string of incidents has led to consumer "breach fatigue." "The hackers understand the apathy and are taking advantage," he says.

Targeted Attacks

Spear phishing is a growing threat, and in the case of the Sony breach, it's the primary concern. Hackers appear to have penetrated a Sony server or file sometime between April 17 and April 19, gaining access to names, mailing addresses, e-mail addresses, birthdates, login and password details for the PlayStation Network and Qriocity, as well as handles [online IDs] used by Sony gamers. Additionally, cyber intruders are suspected to have gathered other details, including gamers' credit card information, billing addresses and purchase histories.

A Sony spokeswoman says, "We cannot rule out the possibility."

With billing information and other details like purchasing history, fraudsters have plenty of information to launch targeted attacks, says Alan Paller, director of research for the SANS Institute. "So, you have knowledge of these people as being gamers; you have knowledge of their music; you know what kinds of games they bought," he says. "That's the way they perpetrate fraud on the Internet."

From there, it's easy for cybercriminals to use socially engineered tactics to trick consumers into revealing other personal details, such as Social Security numbers and bank account information.

"The correlation of data is very useful," says Nicolas Christin, associate director of the Information Networking Institute at Carnegie Mellon University. "You combine the e-mail address with other information, and it's easy for fraudsters to turn that combined information into cash. People also have to realize that privacy online is hard to maintain. Consumers should be very much on the defensive."

Sony's PlayStaion Network is offline until more about the breach is uncovered. Sony has not said when it expects to be back online. A lawsuit also has been filed against Sony, alleging the gaming powerhouse waited too long to notify its customers of a possible breach. That delay, the suit filed in federal court claims, exposed PlayStation users to financial losses related to potential credit-card data theft.

Sony states on its blog that all of the credit card information it stores is encrypted. But Sony cannot rule out the possibility that the card data may have been stolen until its investigation into the breach is completed. In the meantime, Sony is sending a system software update to its gamers and asking them to change their passwords once the PlayStation Network is restored.

The investigation could take months and still not pinpoint the source of the compromise. But Paller says, given Sony's high-value as a company, a phishing attack on Sony itself likely opened the door for the hack.

"I would say they got in by doing a targeted phishing attack against an administrator or a high officer in the company," Paller says. "Common defenses don't protect against that kind of attack. Companies need to start thinking more like a bank than like a social community. Banks do a much, much better job of defending, because the value of what they are defending is so high."

Vulnerability of Payment Card?

Bob Russo, general manager of the Payment Card Industry Security Standards Council, says the council, which sets guidelines for the governance and storage of payments card data, does not monitor security compliance and has no insight into the details of any specific breach. "Until a forensics investigation is completed, there is no way to determine whether or not an organization was PCI compliant at the time of the breach," Russo says. PCI security standards, such as the PCI Data Security Standard, provide best practice guidelines for the storage and handling of cardholder data.

Even if credit card numbers were encrypted by Sony, the storing of any credit card numbers is a bad idea. "For most companies of this size that don't specialize in payments, the processing of the credit card is actually handled elsewhere," Paller says. "But the mistake that companies like this make is that they store that data, because they think they might need it sometime in the future."

About the Author

A veteran journalist with more than 18 years' experience, Kitten has covered the financial sector for the last 11 years. Before joining Information Security Media Group in 2010, where she now serves as the Executive Editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;